[Samba] Combining "--complexity=off" and "check password script"

Brian Candler b.candler at pobox.com
Thu Dec 14 11:13:04 UTC 2017


I would like to understand how the "check password script" interacts 
with enabling/disabling password complexity checks.

That is: if I configure

     check password script = /usr/local/samba/sbin/crackcheck -d 
/var/cache/cracklib/cracklib_dict

is this called *in addition* to the default complexity checking, or 
instead of it? And if I set

     samba-tool domain passwordsettings set --complexity=off

with a check password script configured, does this setting disable the 
check password script as well, or just the built-in complexity checking?

What I am actually trying to achieve is:

- DISABLE the requirement for complex character sets in passwords, but
- ENABLE a dictionary check

following the NCSC password guidance: 
https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach

But looking at the samba4 source, I suspect that setting complexity=off 
disables both checks. Is that correct?

Thanks,

Brian.




More information about the samba mailing list